Before an architect can begin work the business owner has to specify what sort of building is needed. Having stated what sort of building is needed the owner must then decide some more detail about its use:

​​​

​Why do you want this building? The goals that you want to achieve.

​

How  will it be used? The detailed functional description.

​

Who will use the building, including the types of people, their physical mobility, the numbers of them expected, and so on?

​

Where should it be located, and what is its geographical relationship to other buildings and to the infrastructure (such as roads, railways etc)?

​

When will it be used? The times of day, week, year, and the pattern of usage over time. (Sherwood, Clark, & Lynas, 2005)

​

Understanding requirements is a prerequisite to effective design. We take a similar approach in developing an architecture for a secure information system.

​

What type of information system is it and for what will it be used?

​

Why will it be used?

​

How will it be used?

​

Who will use it?

​

Where will it be used?

​

When  will it be used? (Sherwood, Clark, & Lynas, 2005)

​

By asking these questions you establish the business requirements. In the SABSA® Model, this business view is called the contextual security architecture.  In the model, the contextual security architecture is concerned with:

​

What?  The business, its assets to be protected (brand, reputation, etc.) and the business needs for information security (security as a business enabler, secure electronic business, operational continuity and stability, compliance with the law, etc.);

​

Why?  The business risks expressed in terms of assets, goals, success factors and the threats, impacts and vulnerabilities that put these at risk, driving the need for business security (brand protection, fraud prevention, loss prevention, legal obligations, business continuity, etc.);

​

How?  The business processes that require security (business interactions and transactions, business communications, etc.);

​

Who?  The organizational aspects of business security (management structures, supply chain structures, out-sourcing relationships, strategic partnerships);

​

Where? The business geography and location-related aspects of business security (the global village market place, distributed corporate sites, remote working, etc.);

​

When?  The business time dependencies and time-related aspects of business security in terms of both performance and sequence (business transaction throughput, lifetimes and deadlines, just-in-time operations, time-to-market, etc.).

            (Sherwood, Clark, & Lynas, 2005)

​

Source:

​

Sherwood, J., Clark, A., & Lynas, D. (2005). The Business View. In J. Sherwood, A. Clark, & D. Lynas,  Enterprise Security 

           Architecture (p. 35-36). San Francisco: CMP Books.

​